This page is copyrighted by the Ycash Foundation, 2019. It is posted in order to conform to this standard: https://github.com/RD-Crypto-Spec/Responsible-Disclosure/tree/d47a5a3dafa5942c8849a93441745fdd186731e6
The Ycash Foundation is committed to working with researchers who submit security vulnerability notifications to us to resolve those issues on an appropriate timeline and perform a coordinated release, giving credit to the reporter if they would like.
Please submit issues to security@ycash.xyz, using the following PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF2uNzEBEADs4pNJPioJKvcGxr71ZLQpsPjuAGefpTGdzOHzrib6a2k4xljk
rTRC0EmMrVzlQ4CCzdqio/g5FwDnanQ3MLiBrW0n2A3YtIiBjzCKnMtoXp4bHdiD
u1mRITa7rPHU0bJZ0KCqVm3T+0Da3qGIY72gKaZgr86DLgyH2p5xfvABxMJyic51
HwwVg8apYiBA83nt4lNzD2sKgbpRYf+2WSU2q+/3QalZBIUqiuoy0Masup7c6Co0
PETagX9hG0ea5ZqfF5/vwwR35Yv34OaFD7ud58Vx730JmrD0VwpMdTh/bCU2cxN1
4DACpQRGBtUdcgvC5sO1Ht0TqxxfioxIbymbZcWOtggcz6K9D8mAvZys0Ku1VaJ9
780sqPuaq9JjbyoDMiSD8UOsxkz7A02eryKcimqlSRgQ+nCBu/+IkmkJvXqaRSBV
wEuGUxw+bQ1ZBNSUwPFtAbnenmOxXOoSjofx7r1DV5TG3MIX7LANA0xKvxfWu7GN
NB+y9Inkrga5MBCyk/v7K+ShvtQl4HUpCs0j5V2/69srEstGzmjb006Ku1/GyZ/0
60+Tu5a/GyLtlzbWz+HtwhLNek6aF1kgJ9CYND+yWHTGelRhQLcjiQ69ytpXBrx5
YmPKBiFjnhwWle3Iih/jSim2qLR43gnrh0Z9b/UPt5GsTNMkhEHj5MNOuQARAQAB
tCNZY2FzaCBTZWN1cml0eSA8c2VjdXJpdHlAeWNhc2gueHl6PokCTgQTAQgAOBYh
BMWIqlT0HorgbhMpykyKgG6AcSI3BQJdrjcxAhsDBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEEyKgG6AcSI3EsoP/ib1/1SN+3/M0L3m3xvO0SU6IG2bA8ojk4ug
tUeHC3pyseGnMLpQRE3/ScRiEINHX6Os1ecy1pfR0lqQ6inL9FGSobCQSRrWUBJ6
WlQr+VMx8rWTQ2jyZPJNQYN1dmUYOb5oNCycmK/QYvcSNiI2Wco35u1GAlj3AjfU
mZUG+P8FKhe+xCNnL9kAFXih3Xz2i3Hw9mgHO+LIKi04NATLsmULOcqtQOnJpKXl
DrWWOKrbLI4m3PjOA0LQD8ezSr+SVPMlrAQcRvfwv1tVPFfQ0bZQsZ/SAesqG7cT
CpaxrMZmyWIbvf5dR5XXCQwDarVtmc23IlZVoz/o5dsMlWgjJ3vuScKN8wWEFsxF
+ZkGicgNjwhzPHqjxqnJuVmvuDi4loyNKe9TVATVAqiZqGdIx2GHMiQKB5IvYlYU
yskY6EgXqKRxsERixc/ALeciUmqT4bAizL6IMp3iIU+QhSSdxM7EKIku2k24HZSG
vNn6vKydL+HRnlgi2EoLmQRVmfTA2mZpsiXYyvesCF6rU6U8SlyOSsViesVClBxM
WVEsb5pceMWXcjqu1mtCQTqDsb6YJvHUTWo8ZAZihUIAPPreC0JbMPJNPjuGxrRH
nkdum20WjalfLVQr3yc2iRg7jcvFms/hyzbiI4UkMrBY0QWNCXpaWcucAfFZ/UEj
DWrOsJC2uQINBF2uNzEBEAC0UhAhJk3dsz+ayoPPf9isGRet4oclADi2oV60od5B
0YenuOTrK8ABMno501ViBYlcfOs694L9L1VtTk/3O8tum6CejRWx02ztei4Bd7cq
lLGmXJaMq0MeV5BkYSKM+OvPkB3sglLjiofrXvfGeEnG3bgxQBO9pIFzF3YU+1Fr
gUm+RcBVTnP1vpleAwt2dU/sTWErQqqQSLPVZJgE6S6f9Zs7IkO/xECPGZ4u4Yht
4faib2Jzj5QAkXEvgh3/7C3P4YRLCgxiRoUuwsdUNBb+bD/wGp6wmpRoUB4+QZj7
ISeKyl5M9DHjsG0R4IeBcCcFC7D3DhPhWsrP1FVU7O7EN7Kszo3/zKATbhctQaoN
eXTjnyKCHCOgfd2oVTi3vzSAERWs5glcYbkB2wrtRlEI6/J5EsmMs/plQuzKeQc2
JNWO321/IDxjml7eFWIZGCT8FcebFI/zMeOEZxHrZmbCvPEBUa3boOGpk4W2kyGc
ZTjCBa9isyIoLmEiDC5xz9hwhenRCPiZnu7ZB0hE3YkGplRttmQxS261IkfYajTG
MuD3zYAUmGvtJS36kjMEkRt0Heu9mvedjc+kNdAqDTbvVOGXHTASCme8g2N7+C77
gGuWu/0QtBzQQAVnbxEeu2zKv9zIHstLy8hz/PDREamkeOd/n+VMcvmEU++dm2qs
XQARAQABiQI2BBgBCAAgFiEExYiqVPQeiuBuEynKTIqAboBxIjcFAl2uNzECGwwA
CgkQTIqAboBxIjesghAAtw8HcgmM08vJ4BKByxBL8Pw1v4YPPZBNzpZQpZLCKi3H
kX/4NGDZFwV4/lT8jUyZWXIZqWL0b0wuwuF7IcgUsqRygKQF8ts7wJL/BWivgX+V
U+1702eT7hAC0esim7wtrkJaEXy2C69EczP6W28XKjXHW2kvLJjiLK1AEGdzog02
s/Cc47ai9nSXPJkwJlRogPTZwYKVnImRhKuGAMNDOC7Jy73rAKuMwPS7aREgsx/z
UxxJrS/YsMDh7lxtojKnERJ08lIQ7Xpfa12Hsj1SxE+yQ5E++C1605WnObzb4Aj/
NIXwpluJ+VuFVlRbbF2J6EYTqyGjSF95H/so7g0uF1d3gTPMr16SvNbbBvBjX1BS
HjvlVlV85I7rKmJsBUdRMFMUgp82HKHxD6frEtlbg58w504NvY8YsJzc2cNcY56f
dL6otZdpFLhWk9JnWpni7iGN+cPAFD6vLJD9uyjkR1uVHMyYBtPNB/MMVDuXYyyS
RHcJhMA+b2uzk4pxN36+qF5NcnBLzdVi7H1yEai+D/+bqEQL2gEsOuFORgA5cK6N
sXQn02UbdpxDfdzP1BWK0yuowYkj19wSSLd0l2McYcw39/xf/Z8ijEJOfcLVpDXc
12LF07xuQ71gJ7PNs62w+APSKFxHr7YUJTjfVeA3j6MpiwCKALPwVXDEmd/Y9HI=
=zYup
-----END PGP PUBLIC KEY BLOCK-----
In the case where we become aware of security issues affecting other projects that has never affected Ycash, our intention is to inform those projects of security issues on a best effort basis.
In the case where we fix a security issue in Ycash that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in https://github.com/RD-Crypto-Spec/Responsible-Disclosure, subject to the deviations described in the section at the bottom of this document.
We unilaterally commit to share vulnerability information with the following neighboring projects, subject to the deviations described in the next section.
Specifically, we unilaterally commit to engage in responsible disclosures for security issues affecting Ycash technology with the following contacts:
- security@z.cash via PGP
Ycash is based on Zcash. Zcash is a technology that provides strong privacy. Notes are encrypted to their destination, and then the monetary base is kept via zero-knowledge proofs intended to only be creatable by the real holder of Zcash. If this fails, and a counterfeiting bug results, that counterfeiting bug might be exploited without any way for blockchain analyzers to identify the perpetrator or which data in the blockchain has been used to exploit the bug. Rollbacks before that point, such as have been executed in some other projects in such cases, are therefore impossible.
The standard describes reporters of vulnerabilities including full details of an issue, in order to reproduce it. This is necessary for instance in the case of an external researcher both demonstrating and proving that there really is a security issue, and that security issue really has the impact that they say it has - allowing the development team to accurately prioritize and resolve the issue.
In the case of a counterfeiting bug, however, just like in CVE-2019-7167, we might decide not to include those details with our reports to partners ahead of coordinated release, so long as we are sure that they are vulnerable.